You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Sergey Beryozkin <sb...@gmail.com> on 2013/09/12 22:20:47 UTC
Re: OAuth2 username-password flow with Apache CXF
Hi
Thanks for the query, forwarding to the users list,
On 12/09/13 18:37, Messina Andrea wrote:
>
> I'm looking for an example code written using Apache CXF WebClient API and requesting an access token using the "Password Access grant Type".
>
> The documentation(http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ClientCredentials). is really very poor about this subject .
>
Right, looking at it now, agree a bit more info should go into it,
Basically, the idea you just register an access token grant handler with
AccessTokenService, the documentation focuses on the code flow
and AccessTokenService tries to default to the code grant handler if no
custom handlers have been registered, so I missed that no info is there
at all on how the custom handlers can be added, it is really easy,
AccessTokenService has
public void setGrantHandlers(List<AccessTokenGrantHandler> handlers);
and
public void setGrantHandler(AccessTokenGrantHandler handler);
methods. so you set ResourceOwnerGrantHandler (not ClientCredentials
which you linked to)
http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java
Note AccessTokenService will authenticate the client itself (using
client_id and client_secret) and the handler will authenticate the
resource owner, using ResourceOwnerLoginHandler.
Default ResourceOwnerLoginHandler implementation is JAAS based:
http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/JAASResourceOwnerLoginHandler.java
but you can implement your own logic.
Hope it helps
I'll work on improving the docs
Sergey
> The only input parameters are:
>
> 1) Login endpoint URI
> 2) client_id and client_secret
> 3) user_id and user_secret
>
> Thanks in advance, Andrea
>
>
> Andrea Messina
>
> Blue Reply
> Via Cardinal Massaia, 83
> 10147 - Torino - ITALY
> phone: +39 011 29100
> a.messina@reply.it
> www.reply.it
>
>
>
>
> ________________________________
>
> --
> The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth2 username-password flow with Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 18/11/13 05:51, jasonw_nz wrote:
> Sergy, how does the oAuthClienetUtils help with the implicit flow? There
> would be no grant in exchange for token, is there?
>
> More importantly, how to get AccessTokenService to work with
> ImplicitGrantService, I noticed that there is no grantHandler for implicit
> flow.
Yes, because the service itself is a grant handler, it works nearly the
same as AuthorizationCodeService but will delegate directly to
OAuthDataProvider to create the access token as opposed to
AuthorizationCodeService which has to temporarily persist the user
approval's code, redirect the user back and then exchange the code for a
token.
I'd expect no Java code being used by the implicit code clients, but you
can use the client utils too if needed, make sure you provide a basic
AccessTokenHandler which would return a 'token' as a response code. I
can get such a basic handler into the code, in case people would want to
use Java Applets as implicit flow clients
Cheers, Sergey
>
> Can you please point to the right direction?
>
> Thanks,
> jason
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Re-OAuth2-username-password-flow-with-Apache-CXF-tp5733968p5736454.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth2 username-password flow with Apache CXF
Posted by jasonw_nz <ja...@gmail.com>.
Sergy, how does the oAuthClienetUtils help with the implicit flow? There
would be no grant in exchange for token, is there?
More importantly, how to get AccessTokenService to work with
ImplicitGrantService, I noticed that there is no grantHandler for implicit
flow.
Can you please point to the right direction?
Thanks,
jason
--
View this message in context: http://cxf.547215.n5.nabble.com/Re-OAuth2-username-password-flow-with-Apache-CXF-tp5733968p5736454.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth2 username-password flow with Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
I've fixed the parsing issue, but decided not to default to Bearer type
in case of the early OAuth2 implementation incorrectly not returning a
token_type - as it will inevitably lead to the error as soon as
ClientAccessToken is used and it is also non-compliant.
However I added an option to specify an expected token_type, example,
"bearer" - if one works with the well-known service like Salesforce then
using if no token_type has been returned is acceptable
Cheers, Sergey
On 23/09/13 15:37, Sergey Beryozkin wrote:
> Hi,
>
> comments below,
> On 23/09/13 14:11, Messina Andrea wrote:
>> Hi.
>>
>> I found an error in the OAuthClientUtils class that prevents(throwing a
>> *server_error* exception) to receive the access token which was
>> correctly delivered from an OAuth2 server
>> (https://login.salesforce.com/services/oauth2/token).
>>
>> Against of the invocation of the statement:
>>
>> *ClientAccessToken accessToken = OAuthClientUtils.getAccessToken(client,
>> consumer, new ResourceOwnerGrant(USER_ID, USER_SECRET), false);*
>>
>> The server returns the following json response-->
>>
>> {
>>
>> "access_token":
>> "00Db0000000aMXb!AREAQB.vuPKijsXNJC.6IXiasoidsaiosadjpa8LLIuyuwX8Y0ZZ7Q2c9jwZw8WPMkNPpS4R31egB2W0asoijdoiasdzG7XKMxdluMKS",
>>
>>
>> "id":
>> "https://login.salesforce.com/id/00Db0000000aMXbEAM/005b0000000JfBnAAK",
>>
>> "instance_url": "https://eu2.salesforce.com",
>>
>> "issued_at": "1379940791153",
>>
>> "signature":
>> "pXd1DyE9zxSfaslkjsadoisadjiROlaoKKItwyOFkB7BP6mXu042Ec2y9M="
>>
>> }
>>
>> Debugging the */map/* variable inside OAuthClientUtils:: getAccessToken
>> method, it assumes the following value:
>>
>> ·id="https
>>
>> ·issued_at=1379940055511
>>
>> ·instance_url="https
>>
>> ·signature=9nsanKYsYq15ci049snAXV09UgqNKfZs+2TjFhrwgUw=,
>>
>> ·access_token=00Db0000000aMXb!AREAQB.vuPKijsXNJC.6IXiasoidsaiosadjpa8LLIuyuwX8Y0ZZ7Q2c9jwZw8WPMkNPpS4R31egB2W0asoijdoiasdzG7XKMxdluMKS
>>
>>
>> First of all, looking at the key-value pairs, turns out some
>> parsification problems for URL-like values (id & istance_url)
>>
>
> Definitely, currently the parsing is done manually, so ":" in the id &
> instance_url values is mis-treated as a JSON key separator, I'll fix it
>
>> Going ahead in the code execution, I notice that the call to
>> “/fromMapToClientToken/(map)” returns NULL, because the following
>> condition:
>>
>> *if*(map.containsKey(*OAuthConstants*./ACCESS_TOKEN/)
>>
>> && map.containsKey(*OAuthConstants*./ACCESS_TOKEN_TYPE/)){…}
>>
>> is evaluated to FALSE;
>>
>> *OAuthConstants*./ACCESS_TOKEN //à////access_token ; PRESENT in the
>> response///
>>
>> *OAuthConstants*./ACCESS_TOKEN_TYPE //à////token_type; NOT PRESENT in
>> the response/
>>
>> //
>>
>> //
>>
>> *I think that this condition statement should be revised to correctly
>> put through the OAuth dance.*
>>
>
> Well, token_type is a required parameter per
> http://tools.ietf.org/html/rfc6749#section-5.1
>
> I saw the same in my demo I did around Salesforce OAuth2 code flow demo,
> but I was able to bypass the issue because in our case no oAuth2 centric
> client code was used so no requirement for the token_type was enforced.
>
> Hmm... May be I can relax it a bit, ultimately, it is up to the client
> code on what to default to if no token_type is present, example, default
> to 'Bearer' in case of well-known services like Salesforce or refuse to
> continue...
>
> Sergey
>
>> **
>>
>> Thanks,
>>
>> Andrea Messina
>>
>>
>>
>> Andrea Messina
>>
>> Blue Reply
>> Via Cardinal Massaia, 83
>> 10147 - Torino - ITALY
>> phone: +39 011 29100
>> a.messina@reply.it
>> www.reply.it
>>
>> Blue Reply
>>
>> -----Original Message-----
>> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
>> Sent: venerdì 13 settembre 2013 14:24
>> To: Messina Andrea
>> Cc: users@cxf.apache.org
>> Subject: Re: OAuth2 username-password flow with Apache CXF
>>
>> Should be
>>
>> OAuthClientUtils.getAccessToken(webClient, consumer, new
>> ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"), false);
>>
>> where 'false' means no Authorization header is created Sergey On
>> 13/09/13 13:22, Sergey Beryozkin wrote:
>>
>> > Hi,
>>
>> >
>>
>> > OAuthClientUtils has this method,
>>
>> >
>>
>> > public static ClientAccessToken getAccessToken(WebClient
>>
>> > accessTokenService,
>>
>> > Consumer consumer,
>>
>> > AccessTokenGrant
>> grant,
>>
>> > boolean
>>
>> > setAuthorizationHeader)
>>
>> >
>>
>> > So, for example,
>>
>> >
>>
>> > OAuthClientUtils.getAccessToken(webClient, consumer, new
>>
>> > ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"));
>>
>> >
>>
>> > will do it, where 'consumer' represents Consumer initialized with a
>>
>> > client id & secret
>>
>> >
>>
>> > Cheers, Sergey
>>
>> >
>>
>> > On 13/09/13 13:12, Messina Andrea wrote:
>>
>> >> Hi Sergey.
>>
>> >>
>>
>> >> Thanks for reply.
>>
>> >>
>>
>> >> Unfortunately I am unable to construct a working cxf-tree-objects to
>>
>> >> perform a call for the 2-legged OAuth protocol.
>>
>> >>
>>
>> >> The classes I have located are:
>>
>> >>
>>
>> >> ·*WebClient*
>>
>> >>
>>
>> >> ·*OauthClientUtils*
>>
>> >>
>>
>> >> ·*AccessTokenService*
>>
>> >>
>>
>> >> ·*AccessTokenGrant*
>>
>> >>
>>
>> >> ·*Consumer*
>>
>> >>
>>
>> >> ·*ResourceOwnerGrantHandler*
>>
>> >>
>>
>> >> ·*ResourceOwnerLoginHandler***
>>
>> >>
>>
>> >> Could you sent an example implementation that would be able to invoke
>>
>> >> a login endpoint supplying the following text in the body part of the
>>
>> >> HTTP POST request ?
>>
>> >>
>>
>> >> (PASSWORD GRANT so no user-direct authorization is required)
>>
>> >>
>>
>> >> *grant_type=password&client_id=*XXX*&client_secret=*YYY*&username=*ZZ
>>
>> >> Z*&password=*KKK
>>
>> >>
>>
>> >>
>>
>> >> This could be also helpful for many people looking for it
>>
>> >>
>> (http://stackoverflow.com/questions/13793395/cxf-2-legged-oauth-example)!
>>
>> >>
>>
>> >> Thanks,
>>
>> >>
>>
>> >> Andrea
>>
>> >>
>>
>> >>
>>
>> >>
>>
>> >> Andrea Messina
>>
>> >>
>>
>> >> Blue Reply
>>
>> >> Via Cardinal Massaia, 83
>>
>> >> 10147 - Torino - ITALY
>>
>> >> phone: +39 011 29100
>>
>> >> a.messina@reply.it <ma...@reply.it>
>>
>> >> www.reply.it <http://www.reply.it>
>>
>> >>
>>
>> >> Blue Reply
>>
>> >>
>>
>> >> -----Original Message-----
>>
>> >> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
>> <mailto:[mailto:sberyozkin@gmail.com]>
>>
>> >> Sent: giovedì 12 settembre 2013 22:21
>>
>> >> To: users@cxf.apache.org <ma...@cxf.apache.org>
>>
>> >> Cc: Messina Andrea
>>
>> >> Subject: Re: OAuth2 username-password flow with Apache CXF
>>
>> >>
>>
>> >> Hi
>>
>> >>
>>
>> >> Thanks for the query, forwarding to the users list, On 12/09/13
>>
>> >> 18:37, Messina Andrea wrote:
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> > I'm looking for an example code written using Apache CXF WebClient
>>
>> >> API and requesting an access token using the "Password Access grant
>>
>> >> Type".
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> > The
>>
>> >>
>> documentation(http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ClientCredentials).
>>
>>
>> >>
>>
>> >> is really very poor about this subject .
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> Right, looking at it now, agree a bit more info should go into it,
>>
>> >> Basically, the idea you just register an access token grant handler
>>
>> >> with AccessTokenService, the documentation focuses on the code flow
>>
>> >> and AccessTokenService tries to default to the code grant handler if
>>
>> >> no custom handlers have been registered, so I missed that no info is
>>
>> >> there at all on how the custom handlers can be added, it is really
>>
>> >> easy,
>>
>> >>
>>
>> >> AccessTokenService has
>>
>> >>
>>
>> >> public void setGrantHandlers(List<AccessTokenGrantHandler> handlers);
>>
>> >> and public void setGrantHandler(AccessTokenGrantHandler handler);
>>
>> >>
>>
>> >> methods. so you set ResourceOwnerGrantHandler (not ClientCredentials
>>
>> >> which you linked to)
>>
>> >>
>>
>> >> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent
>>
>> >> /oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/
>>
>> >> ResourceOwnerGrantHandler.java
>>
>> >>
>>
>> >>
>>
>> >> Note AccessTokenService will authenticate the client itself (using
>>
>> >> client_id and client_secret) and the handler will authenticate the
>>
>> >> resource owner, using ResourceOwnerLoginHandler.
>>
>> >>
>>
>> >> Default ResourceOwnerLoginHandler implementation is JAAS based:
>>
>> >>
>>
>> >> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent
>>
>> >> /oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/
>>
>> >> JAASResourceOwnerLoginHandler.java
>>
>> >>
>>
>> >>
>>
>> >> but you can implement your own logic.
>>
>> >>
>>
>> >> Hope it helps
>>
>> >>
>>
>> >> I'll work on improving the docs
>>
>> >>
>>
>> >> Sergey
>>
>> >>
>>
>> >> > The only input parameters are:
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> > 1) Login endpoint URI
>>
>> >>
>>
>> >> > 2) client_id and client_secret
>>
>> >>
>>
>> >> > 3) user_id and user_secret
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> > Thanks in advance, Andrea
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> > Andrea Messina
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> > Blue Reply
>>
>> >>
>>
>> >> > Via Cardinal Massaia, 83
>>
>> >>
>>
>> >> > 10147 - Torino - ITALY
>>
>> >>
>>
>> >> > phone: +39 011 29100
>>
>> >>
>>
>> >> > a.messina@reply.it <ma...@reply.it>
>> <ma...@reply.it>
>>
>> >>
>>
>> >> > www.reply.it <http://www.reply.it> <http://www.reply.it>
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> > ________________________________
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> > --
>>
>> >>
>>
>> >> > The information transmitted is intended for the person or entity
>>
>> >> to which it is addressed and may contain confidential and/or
>>
>> >> privileged material. Any review, retransmission, dissemination or
>>
>> >> other use of, or taking of any action in reliance upon, this
>>
>> >> information by persons or entities other than the intended recipient
>>
>> >> is prohibited. If you received this in error, please contact the
>>
>> >> sender and delete the material from any computer.
>>
>> >>
>>
>> >> >
>>
>> >>
>>
>> >> --
>>
>> >>
>>
>> >> Sergey Beryozkin
>>
>> >>
>>
>> >> Talend Community Coders
>>
>> >>
>>
>> >> http://coders.talend.com/
>>
>> >>
>>
>> >> Blog: http://sberyozkin.blogspot.com
>>
>> >>
>>
>> >>
>>
>> >> ---------------------------------------------------------------------
>>
>> >> ---
>>
>> >>
>>
>> >> --
>>
>> >> The information transmitted is intended for the person or entity to
>>
>> >> which it is addressed and may contain confidential and/or privileged
>>
>> >> material. Any review, retransmission, dissemination or other use of,
>>
>> >> or taking of any action in reliance upon, this information by persons
>>
>> >> or entities other than the intended recipient is prohibited. If you
>>
>> >> received this in error, please contact the sender and delete the
>>
>> >> material from any computer.
>>
>> >
>>
>> >
>>
>> --
>>
>> Sergey Beryozkin
>>
>> Talend Community Coders
>>
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> The information transmitted is intended for the person or entity to
>> which it is addressed and may contain confidential and/or privileged
>> material. Any review, retransmission, dissemination or other use of, or
>> taking of any action in reliance upon, this information by persons or
>> entities other than the intended recipient is prohibited. If you
>> received this in error, please contact the sender and delete the
>> material from any computer.
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth2 username-password flow with Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi,
comments below,
On 23/09/13 14:11, Messina Andrea wrote:
> Hi.
>
> I found an error in the OAuthClientUtils class that prevents(throwing a
> *server_error* exception) to receive the access token which was
> correctly delivered from an OAuth2 server
> (https://login.salesforce.com/services/oauth2/token).
>
> Against of the invocation of the statement:
>
> *ClientAccessToken accessToken = OAuthClientUtils.getAccessToken(client,
> consumer, new ResourceOwnerGrant(USER_ID, USER_SECRET), false);*
>
> The server returns the following json response-->
>
> {
>
> "access_token":
> "00Db0000000aMXb!AREAQB.vuPKijsXNJC.6IXiasoidsaiosadjpa8LLIuyuwX8Y0ZZ7Q2c9jwZw8WPMkNPpS4R31egB2W0asoijdoiasdzG7XKMxdluMKS",
>
> "id":
> "https://login.salesforce.com/id/00Db0000000aMXbEAM/005b0000000JfBnAAK",
>
> "instance_url": "https://eu2.salesforce.com",
>
> "issued_at": "1379940791153",
>
> "signature":
> "pXd1DyE9zxSfaslkjsadoisadjiROlaoKKItwyOFkB7BP6mXu042Ec2y9M="
>
> }
>
> Debugging the */map/* variable inside OAuthClientUtils:: getAccessToken
> method, it assumes the following value:
>
> ·id="https
>
> ·issued_at=1379940055511
>
> ·instance_url="https
>
> ·signature=9nsanKYsYq15ci049snAXV09UgqNKfZs+2TjFhrwgUw=,
>
> ·access_token=00Db0000000aMXb!AREAQB.vuPKijsXNJC.6IXiasoidsaiosadjpa8LLIuyuwX8Y0ZZ7Q2c9jwZw8WPMkNPpS4R31egB2W0asoijdoiasdzG7XKMxdluMKS
>
> First of all, looking at the key-value pairs, turns out some
> parsification problems for URL-like values (id & istance_url)
>
Definitely, currently the parsing is done manually, so ":" in the id &
instance_url values is mis-treated as a JSON key separator, I'll fix it
> Going ahead in the code execution, I notice that the call to
> “/fromMapToClientToken/(map)” returns NULL, because the following condition:
>
> *if*(map.containsKey(*OAuthConstants*./ACCESS_TOKEN/)
>
> && map.containsKey(*OAuthConstants*./ACCESS_TOKEN_TYPE/)){…}
>
> is evaluated to FALSE;
>
> *OAuthConstants*./ACCESS_TOKEN //à////access_token ; PRESENT in the
> response///
>
> *OAuthConstants*./ACCESS_TOKEN_TYPE //à////token_type; NOT PRESENT in
> the response/
>
> //
>
> //
>
> *I think that this condition statement should be revised to correctly
> put through the OAuth dance.*
>
Well, token_type is a required parameter per
http://tools.ietf.org/html/rfc6749#section-5.1
I saw the same in my demo I did around Salesforce OAuth2 code flow demo,
but I was able to bypass the issue because in our case no oAuth2 centric
client code was used so no requirement for the token_type was enforced.
Hmm... May be I can relax it a bit, ultimately, it is up to the client
code on what to default to if no token_type is present, example, default
to 'Bearer' in case of well-known services like Salesforce or refuse to
continue...
Sergey
> **
>
> Thanks,
>
> Andrea Messina
>
>
>
> Andrea Messina
>
> Blue Reply
> Via Cardinal Massaia, 83
> 10147 - Torino - ITALY
> phone: +39 011 29100
> a.messina@reply.it
> www.reply.it
>
> Blue Reply
>
> -----Original Message-----
> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
> Sent: venerdì 13 settembre 2013 14:24
> To: Messina Andrea
> Cc: users@cxf.apache.org
> Subject: Re: OAuth2 username-password flow with Apache CXF
>
> Should be
>
> OAuthClientUtils.getAccessToken(webClient, consumer, new
> ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"), false);
>
> where 'false' means no Authorization header is created Sergey On
> 13/09/13 13:22, Sergey Beryozkin wrote:
>
> > Hi,
>
> >
>
> > OAuthClientUtils has this method,
>
> >
>
> > public static ClientAccessToken getAccessToken(WebClient
>
> > accessTokenService,
>
> > Consumer consumer,
>
> > AccessTokenGrant
> grant,
>
> > boolean
>
> > setAuthorizationHeader)
>
> >
>
> > So, for example,
>
> >
>
> > OAuthClientUtils.getAccessToken(webClient, consumer, new
>
> > ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"));
>
> >
>
> > will do it, where 'consumer' represents Consumer initialized with a
>
> > client id & secret
>
> >
>
> > Cheers, Sergey
>
> >
>
> > On 13/09/13 13:12, Messina Andrea wrote:
>
> >> Hi Sergey.
>
> >>
>
> >> Thanks for reply.
>
> >>
>
> >> Unfortunately I am unable to construct a working cxf-tree-objects to
>
> >> perform a call for the 2-legged OAuth protocol.
>
> >>
>
> >> The classes I have located are:
>
> >>
>
> >> ·*WebClient*
>
> >>
>
> >> ·*OauthClientUtils*
>
> >>
>
> >> ·*AccessTokenService*
>
> >>
>
> >> ·*AccessTokenGrant*
>
> >>
>
> >> ·*Consumer*
>
> >>
>
> >> ·*ResourceOwnerGrantHandler*
>
> >>
>
> >> ·*ResourceOwnerLoginHandler***
>
> >>
>
> >> Could you sent an example implementation that would be able to invoke
>
> >> a login endpoint supplying the following text in the body part of the
>
> >> HTTP POST request ?
>
> >>
>
> >> (PASSWORD GRANT so no user-direct authorization is required)
>
> >>
>
> >> *grant_type=password&client_id=*XXX*&client_secret=*YYY*&username=*ZZ
>
> >> Z*&password=*KKK
>
> >>
>
> >>
>
> >> This could be also helpful for many people looking for it
>
> >>
> (http://stackoverflow.com/questions/13793395/cxf-2-legged-oauth-example)!
>
> >>
>
> >> Thanks,
>
> >>
>
> >> Andrea
>
> >>
>
> >>
>
> >>
>
> >> Andrea Messina
>
> >>
>
> >> Blue Reply
>
> >> Via Cardinal Massaia, 83
>
> >> 10147 - Torino - ITALY
>
> >> phone: +39 011 29100
>
> >> a.messina@reply.it <ma...@reply.it>
>
> >> www.reply.it <http://www.reply.it>
>
> >>
>
> >> Blue Reply
>
> >>
>
> >> -----Original Message-----
>
> >> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
> <mailto:[mailto:sberyozkin@gmail.com]>
>
> >> Sent: giovedì 12 settembre 2013 22:21
>
> >> To: users@cxf.apache.org <ma...@cxf.apache.org>
>
> >> Cc: Messina Andrea
>
> >> Subject: Re: OAuth2 username-password flow with Apache CXF
>
> >>
>
> >> Hi
>
> >>
>
> >> Thanks for the query, forwarding to the users list, On 12/09/13
>
> >> 18:37, Messina Andrea wrote:
>
> >>
>
> >> >
>
> >>
>
> >> > I'm looking for an example code written using Apache CXF WebClient
>
> >> API and requesting an access token using the "Password Access grant
>
> >> Type".
>
> >>
>
> >> >
>
> >>
>
> >> > The
>
> >>
> documentation(http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ClientCredentials).
>
> >>
>
> >> is really very poor about this subject .
>
> >>
>
> >> >
>
> >>
>
> >> Right, looking at it now, agree a bit more info should go into it,
>
> >> Basically, the idea you just register an access token grant handler
>
> >> with AccessTokenService, the documentation focuses on the code flow
>
> >> and AccessTokenService tries to default to the code grant handler if
>
> >> no custom handlers have been registered, so I missed that no info is
>
> >> there at all on how the custom handlers can be added, it is really
>
> >> easy,
>
> >>
>
> >> AccessTokenService has
>
> >>
>
> >> public void setGrantHandlers(List<AccessTokenGrantHandler> handlers);
>
> >> and public void setGrantHandler(AccessTokenGrantHandler handler);
>
> >>
>
> >> methods. so you set ResourceOwnerGrantHandler (not ClientCredentials
>
> >> which you linked to)
>
> >>
>
> >> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent
>
> >> /oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/
>
> >> ResourceOwnerGrantHandler.java
>
> >>
>
> >>
>
> >> Note AccessTokenService will authenticate the client itself (using
>
> >> client_id and client_secret) and the handler will authenticate the
>
> >> resource owner, using ResourceOwnerLoginHandler.
>
> >>
>
> >> Default ResourceOwnerLoginHandler implementation is JAAS based:
>
> >>
>
> >> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent
>
> >> /oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/
>
> >> JAASResourceOwnerLoginHandler.java
>
> >>
>
> >>
>
> >> but you can implement your own logic.
>
> >>
>
> >> Hope it helps
>
> >>
>
> >> I'll work on improving the docs
>
> >>
>
> >> Sergey
>
> >>
>
> >> > The only input parameters are:
>
> >>
>
> >> >
>
> >>
>
> >> > 1) Login endpoint URI
>
> >>
>
> >> > 2) client_id and client_secret
>
> >>
>
> >> > 3) user_id and user_secret
>
> >>
>
> >> >
>
> >>
>
> >> > Thanks in advance, Andrea
>
> >>
>
> >> >
>
> >>
>
> >> >
>
> >>
>
> >> > Andrea Messina
>
> >>
>
> >> >
>
> >>
>
> >> > Blue Reply
>
> >>
>
> >> > Via Cardinal Massaia, 83
>
> >>
>
> >> > 10147 - Torino - ITALY
>
> >>
>
> >> > phone: +39 011 29100
>
> >>
>
> >> > a.messina@reply.it <ma...@reply.it>
> <ma...@reply.it>
>
> >>
>
> >> > www.reply.it <http://www.reply.it> <http://www.reply.it>
>
> >>
>
> >> >
>
> >>
>
> >> >
>
> >>
>
> >> >
>
> >>
>
> >> >
>
> >>
>
> >> > ________________________________
>
> >>
>
> >> >
>
> >>
>
> >> > --
>
> >>
>
> >> > The information transmitted is intended for the person or entity
>
> >> to which it is addressed and may contain confidential and/or
>
> >> privileged material. Any review, retransmission, dissemination or
>
> >> other use of, or taking of any action in reliance upon, this
>
> >> information by persons or entities other than the intended recipient
>
> >> is prohibited. If you received this in error, please contact the
>
> >> sender and delete the material from any computer.
>
> >>
>
> >> >
>
> >>
>
> >> --
>
> >>
>
> >> Sergey Beryozkin
>
> >>
>
> >> Talend Community Coders
>
> >>
>
> >> http://coders.talend.com/
>
> >>
>
> >> Blog: http://sberyozkin.blogspot.com
>
> >>
>
> >>
>
> >> ---------------------------------------------------------------------
>
> >> ---
>
> >>
>
> >> --
>
> >> The information transmitted is intended for the person or entity to
>
> >> which it is addressed and may contain confidential and/or privileged
>
> >> material. Any review, retransmission, dissemination or other use of,
>
> >> or taking of any action in reliance upon, this information by persons
>
> >> or entities other than the intended recipient is prohibited. If you
>
> >> received this in error, please contact the sender and delete the
>
> >> material from any computer.
>
> >
>
> >
>
> --
>
> Sergey Beryozkin
>
> Talend Community Coders
>
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
>
> ------------------------------------------------------------------------
>
> --
> The information transmitted is intended for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
> received this in error, please contact the sender and delete the
> material from any computer.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
RE: OAuth2 username-password flow with Apache CXF
Posted by Messina Andrea <a....@reply.it>.
Hi.
I found an error in the OAuthClientUtils class that prevents(throwing a server_error exception) to receive the access token which was correctly delivered from an OAuth2 server (https://login.salesforce.com/services/oauth2/token).
Against of the invocation of the statement:
ClientAccessToken accessToken = OAuthClientUtils.getAccessToken(client, consumer, new ResourceOwnerGrant(USER_ID, USER_SECRET), false);
The server returns the following json response-->
{
"access_token": "00Db0000000aMXb!AREAQB.vuPKijsXNJC.6IXiasoidsaiosadjpa8LLIuyuwX8Y0ZZ7Q2c9jwZw8WPMkNPpS4R31egB2W0asoijdoiasdzG7XKMxdluMKS",
"id": "https://login.salesforce.com/id/00Db0000000aMXbEAM/005b0000000JfBnAAK",
"instance_url": "https://eu2.salesforce.com",
"issued_at": "1379940791153",
"signature": "pXd1DyE9zxSfaslkjsadoisadjiROlaoKKItwyOFkB7BP6mXu042Ec2y9M="
}
Debugging the map variable inside OAuthClientUtils:: getAccessToken method, it assumes the following value:
· id="https
· issued_at=1379940055511
· instance_url="https
· signature=9nsanKYsYq15ci049snAXV09UgqNKfZs+2TjFhrwgUw=,
· access_token=00Db0000000aMXb!AREAQB.vuPKijsXNJC.6IXiasoidsaiosadjpa8LLIuyuwX8Y0ZZ7Q2c9jwZw8WPMkNPpS4R31egB2W0asoijdoiasdzG7XKMxdluMKS
First of all, looking at the key-value pairs, turns out some parsification problems for URL-like values (id & istance_url)
Going ahead in the code execution, I notice that the call to “fromMapToClientToken(map)” returns NULL, because the following condition:
if (map.containsKey(OAuthConstants.ACCESS_TOKEN)
&& map.containsKey(OAuthConstants.ACCESS_TOKEN_TYPE)){…}
is evaluated to FALSE;
OAuthConstants.ACCESS_TOKEN --> access_token ; PRESENT in the response
OAuthConstants.ACCESS_TOKEN_TYPE --> token_type; NOT PRESENT in the response
I think that this condition statement should be revised to correctly put through the OAuth dance.
Thanks,
Andrea Messina
Andrea Messina
Blue Reply
Via Cardinal Massaia, 83
10147 - Torino - ITALY
phone: +39 011 29100
a.messina@reply.it
www.reply.it
[Blue Reply]
-----Original Message-----
From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
Sent: venerdì 13 settembre 2013 14:24
To: Messina Andrea
Cc: users@cxf.apache.org
Subject: Re: OAuth2 username-password flow with Apache CXF
Should be
OAuthClientUtils.getAccessToken(webClient, consumer, new ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"), false);
where 'false' means no Authorization header is created Sergey On 13/09/13 13:22, Sergey Beryozkin wrote:
> Hi,
>
> OAuthClientUtils has this method,
>
> public static ClientAccessToken getAccessToken(WebClient
> accessTokenService,
> Consumer consumer,
> AccessTokenGrant grant,
> boolean
> setAuthorizationHeader)
>
> So, for example,
>
> OAuthClientUtils.getAccessToken(webClient, consumer, new
> ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"));
>
> will do it, where 'consumer' represents Consumer initialized with a
> client id & secret
>
> Cheers, Sergey
>
> On 13/09/13 13:12, Messina Andrea wrote:
>> Hi Sergey.
>>
>> Thanks for reply.
>>
>> Unfortunately I am unable to construct a working cxf-tree-objects to
>> perform a call for the 2-legged OAuth protocol.
>>
>> The classes I have located are:
>>
>> ·*WebClient*
>>
>> ·*OauthClientUtils*
>>
>> ·*AccessTokenService*
>>
>> ·*AccessTokenGrant*
>>
>> ·*Consumer*
>>
>> ·*ResourceOwnerGrantHandler*
>>
>> ·*ResourceOwnerLoginHandler***
>>
>> Could you sent an example implementation that would be able to invoke
>> a login endpoint supplying the following text in the body part of the
>> HTTP POST request ?
>>
>> (PASSWORD GRANT so no user-direct authorization is required)
>>
>> *grant_type=password&client_id=*XXX*&client_secret=*YYY*&username=*ZZ
>> Z*&password=*KKK
>>
>>
>> This could be also helpful for many people looking for it
>> (http://stackoverflow.com/questions/13793395/cxf-2-legged-oauth-example)!
>>
>> Thanks,
>>
>> Andrea
>>
>>
>>
>> Andrea Messina
>>
>> Blue Reply
>> Via Cardinal Massaia, 83
>> 10147 - Torino - ITALY
>> phone: +39 011 29100
>> a.messina@reply.it<ma...@reply.it>
>> www.reply.it<http://www.reply.it>
>>
>> Blue Reply
>>
>> -----Original Message-----
>> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]<mailto:[mailto:sberyozkin@gmail.com]>
>> Sent: giovedì 12 settembre 2013 22:21
>> To: users@cxf.apache.org<ma...@cxf.apache.org>
>> Cc: Messina Andrea
>> Subject: Re: OAuth2 username-password flow with Apache CXF
>>
>> Hi
>>
>> Thanks for the query, forwarding to the users list, On 12/09/13
>> 18:37, Messina Andrea wrote:
>>
>> >
>>
>> > I'm looking for an example code written using Apache CXF WebClient
>> API and requesting an access token using the "Password Access grant
>> Type".
>>
>> >
>>
>> > The
>> documentation(http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ClientCredentials).
>>
>> is really very poor about this subject .
>>
>> >
>>
>> Right, looking at it now, agree a bit more info should go into it,
>> Basically, the idea you just register an access token grant handler
>> with AccessTokenService, the documentation focuses on the code flow
>> and AccessTokenService tries to default to the code grant handler if
>> no custom handlers have been registered, so I missed that no info is
>> there at all on how the custom handlers can be added, it is really
>> easy,
>>
>> AccessTokenService has
>>
>> public void setGrantHandlers(List<AccessTokenGrantHandler> handlers);
>> and public void setGrantHandler(AccessTokenGrantHandler handler);
>>
>> methods. so you set ResourceOwnerGrantHandler (not ClientCredentials
>> which you linked to)
>>
>> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent
>> /oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/
>> ResourceOwnerGrantHandler.java
>>
>>
>> Note AccessTokenService will authenticate the client itself (using
>> client_id and client_secret) and the handler will authenticate the
>> resource owner, using ResourceOwnerLoginHandler.
>>
>> Default ResourceOwnerLoginHandler implementation is JAAS based:
>>
>> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent
>> /oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/
>> JAASResourceOwnerLoginHandler.java
>>
>>
>> but you can implement your own logic.
>>
>> Hope it helps
>>
>> I'll work on improving the docs
>>
>> Sergey
>>
>> > The only input parameters are:
>>
>> >
>>
>> > 1) Login endpoint URI
>>
>> > 2) client_id and client_secret
>>
>> > 3) user_id and user_secret
>>
>> >
>>
>> > Thanks in advance, Andrea
>>
>> >
>>
>> >
>>
>> > Andrea Messina
>>
>> >
>>
>> > Blue Reply
>>
>> > Via Cardinal Massaia, 83
>>
>> > 10147 - Torino - ITALY
>>
>> > phone: +39 011 29100
>>
>> > a.messina@reply.it<ma...@reply.it> <ma...@reply.it>
>>
>> > www.reply.it<http://www.reply.it> <http://www.reply.it>
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>>
>> > ________________________________
>>
>> >
>>
>> > --
>>
>> > The information transmitted is intended for the person or entity
>> to which it is addressed and may contain confidential and/or
>> privileged material. Any review, retransmission, dissemination or
>> other use of, or taking of any action in reliance upon, this
>> information by persons or entities other than the intended recipient
>> is prohibited. If you received this in error, please contact the
>> sender and delete the material from any computer.
>>
>> >
>>
>> --
>>
>> Sergey Beryozkin
>>
>> Talend Community Coders
>>
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>>
>> ---------------------------------------------------------------------
>> ---
>>
>> --
>> The information transmitted is intended for the person or entity to
>> which it is addressed and may contain confidential and/or privileged
>> material. Any review, retransmission, dissemination or other use of,
>> or taking of any action in reliance upon, this information by persons
>> or entities other than the intended recipient is prohibited. If you
>> received this in error, please contact the sender and delete the
>> material from any computer.
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
________________________________
--
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
RE: OAuth2 username-password flow with Apache CXF
Posted by Messina Andrea <a....@reply.it>.
This is what I was looking for.
Thanks a lot
Andrea Messina
Blue Reply
Via Cardinal Massaia, 83
10147 - Torino - ITALY
phone: +39 011 29100
a.messina@reply.it
www.reply.it
-----Original Message-----
From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
Sent: venerdì 13 settembre 2013 14:24
To: Messina Andrea
Cc: users@cxf.apache.org
Subject: Re: OAuth2 username-password flow with Apache CXF
Should be
OAuthClientUtils.getAccessToken(webClient, consumer, new ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"), false);
where 'false' means no Authorization header is created Sergey On 13/09/13 13:22, Sergey Beryozkin wrote:
> Hi,
>
> OAuthClientUtils has this method,
>
> public static ClientAccessToken getAccessToken(WebClient
> accessTokenService,
> Consumer consumer,
> AccessTokenGrant grant,
> boolean
> setAuthorizationHeader)
>
> So, for example,
>
> OAuthClientUtils.getAccessToken(webClient, consumer, new
> ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"));
>
> will do it, where 'consumer' represents Consumer initialized with a
> client id & secret
>
> Cheers, Sergey
>
> On 13/09/13 13:12, Messina Andrea wrote:
>> Hi Sergey.
>>
>> Thanks for reply.
>>
>> Unfortunately I am unable to construct a working cxf-tree-objects to
>> perform a call for the 2-legged OAuth protocol.
>>
>> The classes I have located are:
>>
>> ·*WebClient*
>>
>> ·*OauthClientUtils*
>>
>> ·*AccessTokenService*
>>
>> ·*AccessTokenGrant*
>>
>> ·*Consumer*
>>
>> ·*ResourceOwnerGrantHandler*
>>
>> ·*ResourceOwnerLoginHandler***
>>
>> Could you sent an example implementation that would be able to invoke
>> a login endpoint supplying the following text in the body part of the
>> HTTP POST request ?
>>
>> (PASSWORD GRANT so no user-direct authorization is required)
>>
>> *grant_type=password&client_id=*XXX*&client_secret=*YYY*&username=*ZZ
>> Z*&password=*KKK
>>
>>
>> This could be also helpful for many people looking for it
>> (http://stackoverflow.com/questions/13793395/cxf-2-legged-oauth-example)!
>>
>> Thanks,
>>
>> Andrea
>>
>>
>>
>> Andrea Messina
>>
>> Blue Reply
>> Via Cardinal Massaia, 83
>> 10147 - Torino - ITALY
>> phone: +39 011 29100
>> a.messina@reply.it
>> www.reply.it
>>
>> Blue Reply
>>
>> -----Original Message-----
>> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
>> Sent: giovedì 12 settembre 2013 22:21
>> To: users@cxf.apache.org
>> Cc: Messina Andrea
>> Subject: Re: OAuth2 username-password flow with Apache CXF
>>
>> Hi
>>
>> Thanks for the query, forwarding to the users list, On 12/09/13
>> 18:37, Messina Andrea wrote:
>>
>> >
>>
>> > I'm looking for an example code written using Apache CXF WebClient
>> API and requesting an access token using the "Password Access grant
>> Type".
>>
>> >
>>
>> > The
>> documentation(http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ClientCredentials).
>>
>> is really very poor about this subject .
>>
>> >
>>
>> Right, looking at it now, agree a bit more info should go into it,
>> Basically, the idea you just register an access token grant handler
>> with AccessTokenService, the documentation focuses on the code flow
>> and AccessTokenService tries to default to the code grant handler if
>> no custom handlers have been registered, so I missed that no info is
>> there at all on how the custom handlers can be added, it is really
>> easy,
>>
>> AccessTokenService has
>>
>> public void setGrantHandlers(List<AccessTokenGrantHandler> handlers);
>> and public void setGrantHandler(AccessTokenGrantHandler handler);
>>
>> methods. so you set ResourceOwnerGrantHandler (not ClientCredentials
>> which you linked to)
>>
>> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent
>> /oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/
>> ResourceOwnerGrantHandler.java
>>
>>
>> Note AccessTokenService will authenticate the client itself (using
>> client_id and client_secret) and the handler will authenticate the
>> resource owner, using ResourceOwnerLoginHandler.
>>
>> Default ResourceOwnerLoginHandler implementation is JAAS based:
>>
>> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent
>> /oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/
>> JAASResourceOwnerLoginHandler.java
>>
>>
>> but you can implement your own logic.
>>
>> Hope it helps
>>
>> I'll work on improving the docs
>>
>> Sergey
>>
>> > The only input parameters are:
>>
>> >
>>
>> > 1) Login endpoint URI
>>
>> > 2) client_id and client_secret
>>
>> > 3) user_id and user_secret
>>
>> >
>>
>> > Thanks in advance, Andrea
>>
>> >
>>
>> >
>>
>> > Andrea Messina
>>
>> >
>>
>> > Blue Reply
>>
>> > Via Cardinal Massaia, 83
>>
>> > 10147 - Torino - ITALY
>>
>> > phone: +39 011 29100
>>
>> > a.messina@reply.it <ma...@reply.it>
>>
>> > www.reply.it <http://www.reply.it>
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>>
>> > ________________________________
>>
>> >
>>
>> > --
>>
>> > The information transmitted is intended for the person or entity
>> to which it is addressed and may contain confidential and/or
>> privileged material. Any review, retransmission, dissemination or
>> other use of, or taking of any action in reliance upon, this
>> information by persons or entities other than the intended recipient
>> is prohibited. If you received this in error, please contact the
>> sender and delete the material from any computer.
>>
>> >
>>
>> --
>>
>> Sergey Beryozkin
>>
>> Talend Community Coders
>>
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>>
>> ---------------------------------------------------------------------
>> ---
>>
>> --
>> The information transmitted is intended for the person or entity to
>> which it is addressed and may contain confidential and/or privileged
>> material. Any review, retransmission, dissemination or other use of,
>> or taking of any action in reliance upon, this information by persons
>> or entities other than the intended recipient is prohibited. If you
>> received this in error, please contact the sender and delete the
>> material from any computer.
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
________________________________
--
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Re: OAuth2 username-password flow with Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
Should be
OAuthClientUtils.getAccessToken(webClient, consumer, new
ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"), false);
where 'false' means no Authorization header is created
Sergey
On 13/09/13 13:22, Sergey Beryozkin wrote:
> Hi,
>
> OAuthClientUtils has this method,
>
> public static ClientAccessToken getAccessToken(WebClient
> accessTokenService,
> Consumer consumer,
> AccessTokenGrant grant,
> boolean
> setAuthorizationHeader)
>
> So, for example,
>
> OAuthClientUtils.getAccessToken(webClient, consumer, new
> ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"));
>
> will do it, where 'consumer' represents Consumer initialized with a
> client id & secret
>
> Cheers, Sergey
>
> On 13/09/13 13:12, Messina Andrea wrote:
>> Hi Sergey.
>>
>> Thanks for reply.
>>
>> Unfortunately I am unable to construct a working cxf-tree-objects to
>> perform a call for the 2-legged OAuth protocol.
>>
>> The classes I have located are:
>>
>> ·*WebClient*
>>
>> ·*OauthClientUtils*
>>
>> ·*AccessTokenService*
>>
>> ·*AccessTokenGrant*
>>
>> ·*Consumer*
>>
>> ·*ResourceOwnerGrantHandler*
>>
>> ·*ResourceOwnerLoginHandler***
>>
>> Could you sent an example implementation that would be able to invoke a
>> login endpoint supplying the following text in the body part of the HTTP
>> POST request ?
>>
>> (PASSWORD GRANT so no user-direct authorization is required)
>>
>> *grant_type=password&client_id=*XXX*&client_secret=*YYY*&username=*ZZZ*&password=*KKK
>>
>>
>> This could be also helpful for many people looking for it
>> (http://stackoverflow.com/questions/13793395/cxf-2-legged-oauth-example)!
>>
>> Thanks,
>>
>> Andrea
>>
>>
>>
>> Andrea Messina
>>
>> Blue Reply
>> Via Cardinal Massaia, 83
>> 10147 - Torino - ITALY
>> phone: +39 011 29100
>> a.messina@reply.it
>> www.reply.it
>>
>> Blue Reply
>>
>> -----Original Message-----
>> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
>> Sent: giovedì 12 settembre 2013 22:21
>> To: users@cxf.apache.org
>> Cc: Messina Andrea
>> Subject: Re: OAuth2 username-password flow with Apache CXF
>>
>> Hi
>>
>> Thanks for the query, forwarding to the users list, On 12/09/13 18:37,
>> Messina Andrea wrote:
>>
>> >
>>
>> > I'm looking for an example code written using Apache CXF WebClient
>> API and requesting an access token using the "Password Access grant
>> Type".
>>
>> >
>>
>> > The
>> documentation(http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ClientCredentials).
>>
>> is really very poor about this subject .
>>
>> >
>>
>> Right, looking at it now, agree a bit more info should go into it,
>> Basically, the idea you just register an access token grant handler with
>> AccessTokenService, the documentation focuses on the code flow and
>> AccessTokenService tries to default to the code grant handler if no
>> custom handlers have been registered, so I missed that no info is there
>> at all on how the custom handlers can be added, it is really easy,
>>
>> AccessTokenService has
>>
>> public void setGrantHandlers(List<AccessTokenGrantHandler> handlers);
>> and public void setGrantHandler(AccessTokenGrantHandler handler);
>>
>> methods. so you set ResourceOwnerGrantHandler (not ClientCredentials
>> which you linked to)
>>
>> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java
>>
>>
>> Note AccessTokenService will authenticate the client itself (using
>> client_id and client_secret) and the handler will authenticate the
>> resource owner, using ResourceOwnerLoginHandler.
>>
>> Default ResourceOwnerLoginHandler implementation is JAAS based:
>>
>> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/JAASResourceOwnerLoginHandler.java
>>
>>
>> but you can implement your own logic.
>>
>> Hope it helps
>>
>> I'll work on improving the docs
>>
>> Sergey
>>
>> > The only input parameters are:
>>
>> >
>>
>> > 1) Login endpoint URI
>>
>> > 2) client_id and client_secret
>>
>> > 3) user_id and user_secret
>>
>> >
>>
>> > Thanks in advance, Andrea
>>
>> >
>>
>> >
>>
>> > Andrea Messina
>>
>> >
>>
>> > Blue Reply
>>
>> > Via Cardinal Massaia, 83
>>
>> > 10147 - Torino - ITALY
>>
>> > phone: +39 011 29100
>>
>> > a.messina@reply.it <ma...@reply.it>
>>
>> > www.reply.it <http://www.reply.it>
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>>
>> > ________________________________
>>
>> >
>>
>> > --
>>
>> > The information transmitted is intended for the person or entity to
>> which it is addressed and may contain confidential and/or privileged
>> material. Any review, retransmission, dissemination or other use of, or
>> taking of any action in reliance upon, this information by persons or
>> entities other than the intended recipient is prohibited. If you
>> received this in error, please contact the sender and delete the
>> material from any computer.
>>
>> >
>>
>> --
>>
>> Sergey Beryozkin
>>
>> Talend Community Coders
>>
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> The information transmitted is intended for the person or entity to
>> which it is addressed and may contain confidential and/or privileged
>> material. Any review, retransmission, dissemination or other use of, or
>> taking of any action in reliance upon, this information by persons or
>> entities other than the intended recipient is prohibited. If you
>> received this in error, please contact the sender and delete the
>> material from any computer.
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth2 username-password flow with Apache CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi,
OAuthClientUtils has this method,
public static ClientAccessToken getAccessToken(WebClient accessTokenService,
Consumer consumer,
AccessTokenGrant grant,
boolean
setAuthorizationHeader)
So, for example,
OAuthClientUtils.getAccessToken(webClient, consumer, new
ResourceOwnerGrant("resourceOwnerName", "resourceOwnerPassword"));
will do it, where 'consumer' represents Consumer initialized with a
client id & secret
Cheers, Sergey
On 13/09/13 13:12, Messina Andrea wrote:
> Hi Sergey.
>
> Thanks for reply.
>
> Unfortunately I am unable to construct a working cxf-tree-objects to
> perform a call for the 2-legged OAuth protocol.
>
> The classes I have located are:
>
> ·*WebClient*
>
> ·*OauthClientUtils*
>
> ·*AccessTokenService*
>
> ·*AccessTokenGrant*
>
> ·*Consumer*
>
> ·*ResourceOwnerGrantHandler*
>
> ·*ResourceOwnerLoginHandler***
>
> Could you sent an example implementation that would be able to invoke a
> login endpoint supplying the following text in the body part of the HTTP
> POST request ?
>
> (PASSWORD GRANT so no user-direct authorization is required)
>
> *grant_type=password&client_id=*XXX*&client_secret=*YYY*&username=*ZZZ*&password=*KKK
>
> This could be also helpful for many people looking for it
> (http://stackoverflow.com/questions/13793395/cxf-2-legged-oauth-example)!
>
> Thanks,
>
> Andrea
>
>
>
> Andrea Messina
>
> Blue Reply
> Via Cardinal Massaia, 83
> 10147 - Torino - ITALY
> phone: +39 011 29100
> a.messina@reply.it
> www.reply.it
>
> Blue Reply
>
> -----Original Message-----
> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
> Sent: giovedì 12 settembre 2013 22:21
> To: users@cxf.apache.org
> Cc: Messina Andrea
> Subject: Re: OAuth2 username-password flow with Apache CXF
>
> Hi
>
> Thanks for the query, forwarding to the users list, On 12/09/13 18:37,
> Messina Andrea wrote:
>
> >
>
> > I'm looking for an example code written using Apache CXF WebClient
> API and requesting an access token using the "Password Access grant Type".
>
> >
>
> > The
> documentation(http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ClientCredentials).
> is really very poor about this subject .
>
> >
>
> Right, looking at it now, agree a bit more info should go into it,
> Basically, the idea you just register an access token grant handler with
> AccessTokenService, the documentation focuses on the code flow and
> AccessTokenService tries to default to the code grant handler if no
> custom handlers have been registered, so I missed that no info is there
> at all on how the custom handlers can be added, it is really easy,
>
> AccessTokenService has
>
> public void setGrantHandlers(List<AccessTokenGrantHandler> handlers);
> and public void setGrantHandler(AccessTokenGrantHandler handler);
>
> methods. so you set ResourceOwnerGrantHandler (not ClientCredentials
> which you linked to)
>
> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java
>
> Note AccessTokenService will authenticate the client itself (using
> client_id and client_secret) and the handler will authenticate the
> resource owner, using ResourceOwnerLoginHandler.
>
> Default ResourceOwnerLoginHandler implementation is JAAS based:
>
> http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/JAASResourceOwnerLoginHandler.java
>
> but you can implement your own logic.
>
> Hope it helps
>
> I'll work on improving the docs
>
> Sergey
>
> > The only input parameters are:
>
> >
>
> > 1) Login endpoint URI
>
> > 2) client_id and client_secret
>
> > 3) user_id and user_secret
>
> >
>
> > Thanks in advance, Andrea
>
> >
>
> >
>
> > Andrea Messina
>
> >
>
> > Blue Reply
>
> > Via Cardinal Massaia, 83
>
> > 10147 - Torino - ITALY
>
> > phone: +39 011 29100
>
> > a.messina@reply.it <ma...@reply.it>
>
> > www.reply.it <http://www.reply.it>
>
> >
>
> >
>
> >
>
> >
>
> > ________________________________
>
> >
>
> > --
>
> > The information transmitted is intended for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
> received this in error, please contact the sender and delete the
> material from any computer.
>
> >
>
> --
>
> Sergey Beryozkin
>
> Talend Community Coders
>
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
>
> ------------------------------------------------------------------------
>
> --
> The information transmitted is intended for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
> received this in error, please contact the sender and delete the
> material from any computer.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
RE: OAuth2 username-password flow with Apache CXF
Posted by Messina Andrea <a....@reply.it>.
Hi Sergey.
Thanks for reply.
Unfortunately I am unable to construct a working cxf-tree-objects to perform a call for the 2-legged OAuth protocol.
The classes I have located are:
· WebClient
· OauthClientUtils
· AccessTokenService
· AccessTokenGrant
· Consumer
· ResourceOwnerGrantHandler
· ResourceOwnerLoginHandler
Could you sent an example implementation that would be able to invoke a login endpoint supplying the following text in the body part of the HTTP POST request ?
(PASSWORD GRANT so no user-direct authorization is required)
grant_type=password&client_id=XXX&client_secret=YYY&username=ZZZ&password=KKK
This could be also helpful for many people looking for it (http://stackoverflow.com/questions/13793395/cxf-2-legged-oauth-example)!
Thanks,
Andrea
Andrea Messina
Blue Reply
Via Cardinal Massaia, 83
10147 - Torino - ITALY
phone: +39 011 29100
a.messina@reply.it
www.reply.it
[Blue Reply]
-----Original Message-----
From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
Sent: giovedì 12 settembre 2013 22:21
To: users@cxf.apache.org
Cc: Messina Andrea
Subject: Re: OAuth2 username-password flow with Apache CXF
Hi
Thanks for the query, forwarding to the users list, On 12/09/13 18:37, Messina Andrea wrote:
>
> I'm looking for an example code written using Apache CXF WebClient API and requesting an access token using the "Password Access grant Type".
>
> The documentation(http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ClientCredentials). is really very poor about this subject .
>
Right, looking at it now, agree a bit more info should go into it, Basically, the idea you just register an access token grant handler with AccessTokenService, the documentation focuses on the code flow and AccessTokenService tries to default to the code grant handler if no custom handlers have been registered, so I missed that no info is there at all on how the custom handlers can be added, it is really easy,
AccessTokenService has
public void setGrantHandlers(List<AccessTokenGrantHandler> handlers); and public void setGrantHandler(AccessTokenGrantHandler handler);
methods. so you set ResourceOwnerGrantHandler (not ClientCredentials which you linked to)
http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java
Note AccessTokenService will authenticate the client itself (using client_id and client_secret) and the handler will authenticate the resource owner, using ResourceOwnerLoginHandler.
Default ResourceOwnerLoginHandler implementation is JAAS based:
http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/JAASResourceOwnerLoginHandler.java
but you can implement your own logic.
Hope it helps
I'll work on improving the docs
Sergey
> The only input parameters are:
>
> 1) Login endpoint URI
> 2) client_id and client_secret
> 3) user_id and user_secret
>
> Thanks in advance, Andrea
>
>
> Andrea Messina
>
> Blue Reply
> Via Cardinal Massaia, 83
> 10147 - Torino - ITALY
> phone: +39 011 29100
> a.messina@reply.it<ma...@reply.it>
> www.reply.it<http://www.reply.it>
>
>
>
>
> ________________________________
>
> --
> The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
________________________________
--
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.